In the world of the chief audit executive (CAE), stakeholders are looking for deeper insights and value. It’s a world of rapid change on economic, geopolitical, technological, social and other fronts in which the organisation the CAE serves must adapt and grow or risk decline and its ultimate demise. As the risks companies face and the related audit universe change, the focus and skill sets needed by internal audit must evolve, too. But that change is not possible unless internal audit also innovates and transforms itself to keep pace with the velocity of advancements in the business.
For several years, Protiviti has explored the concept of the future auditor. Introduced five years ago, the “future auditor vision” describes a CAE who is taking definitive steps toward making The Institute of Internal Auditors’ vision of “an independent, objective assurance and consulting activity that adds value and improves an organisation’s operations” a reality. Since then, we have assessed the relevance of this vision against expectations of internal audit stakeholders.And we have considered various ways to advance the future auditor’s vital relationship with the audit committee on three distinct but interrelated fronts: risk, value and communication.
Today, innovation and change are givens, and digital technology is fueling them both. The question arises as to whether internal audit is adjusting quickly enough to innovate and embrace underlying technologies. That is a question of remaining relevant in an environment of ever-changing business realities and stakeholder expectations. It offers the context for the topic of this issue of The Bulletin — the future auditor goes digital.
The Next-Generation Internal Audit Function
In a recent Protiviti white paper, we described what we call the “next-generation internal audit function.” By “next generation,” we mean a function that embraces an agile, holistic approach that focuses on governance, methodology and technology while delivering stronger assurance and more valuable insights to the business in an efficient manner. To build such a function, the future auditor acknowledges the need for change, understands the essential capabilities for effecting change and undertakes a game plan for getting started.
To the future auditor, “next generation” is:
An agile, multiskilled and technology-enabled function able to recognise emerging risks and changes to the organisation’s risk profile quickly enough to reflect them in a timely manner in the audit plan so they can be addressed in the assurance the function delivers.
Traditional methodologies, long-trusted stand-alone point solutions addressing specific needs and conventional thinking simply can’t accomplish these tasks efficiently at the speed of change that is occurring. Many CAEs see that internal audit tools and techniques are evolving rapidly, stirring excitement about transformation possibilities and innovation within the function. In polling at various webinars and conference presentations, as well as in independent research conducted by Protiviti, a strong majority of participants consistently indicate that they are undertaking “next-generation” auditing initiatives.
Next-generation internal audit functions have three essential objectives:
- Improve assurance by increasing focus on key risks — Moving to a more data-enabled and continuous approach to assessing how risks change across the organisation allows internal audit to provide internal and external stakeholders with relevant, timely and impactful findings on the effectiveness of risk management and controls.
- Make internal audit more efficient — By evolving and taking advantage of technologies and data to enable agile methodologies and approaches, internal audit can deliver increased efficiency and deeper insights on risk assurance.
- Provide deeper, more valuable and timelier insights from audit activities and processes — The bar is raised when audit activities illuminate risks and unforeseen consequences inherent in longer-term digital transformation and growth strategies and provide the information for decision-making that increases confidence in return on investment (ROI) from process changes. The result: Internal audit helps the organisation make better, faster decisions in improving operations and addressing and managing current risks.
The objectives of these transformations to a next-generation function — efficiency, adaptability, increased engagement and deeper, more valuable insights — are easy to understand. But the mechanisms to implement such changes vary across a range of innovative approaches, tools and governance processes all intertwined with an innovative culture the future auditor tailors to the organisation’s needs and his or her vision for next-generation internal audit. Differences aside, nearly all of the transformations Protiviti has supported have addressed most, if not all, of the following competencies, qualities and components.
Protiviti's Vision - The Next Generation of Internal Auditing
Source: The Next Generation of Internal Auditing - Are You Ready? Catch the Innovation Wave, Protiviti, November 2018
As seen in the above schematic, there are three broad categories of next-generation capabilities. The first is governance, which includes the internal audit strategic vision, organisational structure, resource and talent management, and aligned assurance. The second is methodology, which is the “how” of transformation, or the body of methods, rules and procedures guiding the function’s operations from risk assessment to execution to reporting. Finally, enabling technology includes the tools of the digital age — process mining, advanced analytics, robotic process automation (RPA), machine learning (ML) and artificial intelligence (AI). The technologies the future auditor chooses to implement are an integral part of the overall transformation process.
These categories are interrelated; they impact the people, processes, data and technology supporting the internal audit function. Focusing solely on individual components yields limited benefits. Holistic change is the key to accelerated and higher-value outcomes. For example, process mining used as a new capability but only as part of a traditional audit approach will not yield its full benefits. To maximise ROI from new technologies, the future auditor redesigns aspects of the audit activity while also evolving audit team skill sets. That is why the elements comprising the governance category are so important.
The Journey Has Begun
Our research indicates three in four functions are undertaking some form of innovation or transformation effort, but also that next-generation capabilities adoption is in a relatively early stage. In many instances, the implementation of the governance mechanisms, agile methodologies and enabling technologies that comprise the next-generation internal audit model has so far occurred in an ad hoc manner. Internal audit groups within organisations that are digital leaders have made substantially more progress with their innovation and transformation initiatives. The message is clear for the significant number of functions that have yet to begin their next-generation journeys: It’s time to get started.
Digital leaders recognise that transformation is much more than undertaking a few discrete projects and disparate activities. Beginning and sustaining the journey requires a culture and mindset focused on continuously seeking new ways to innovate and do things better by leveraging new processes and the latest technologies. Accordingly, the future auditor obtains buy-in from team members and encourages development and sharing of new ideas and solutions. For example, the number of internal audit functions with designated “innovation/transformation champions” is on the rise, with over 60% of companies indicating they have one.
Of interest, even the Public Company Accounting Oversight Board has this topic on its screen. The board has stated that it is focusing on an array of technology advancements affecting today’s audits, including the use of software audit tools.
Next-Generation Enabling Technology
The future auditor welcomes disruption, divergent thinking and creative problem-solving. Next-generation internal audit is about encouraging innovative responses to how audit can do things differently. Structured template thinking is a thing of the past because it will not deliver the value and relevant observations expected by stakeholders in a changing world. Embracing analytics and new technologies should not be a mere initiative but must be fully embedded in the audit methodology as an integral part of what internal audit does. Thus, the future auditor makes it a priority to engage everyone in the transformation process.
Next-generation functions rely extensively on automation, data analysis and a variety of advanced technology applications. More substantive progress is needed in several areas if early-stage, next-generation audit models are to mature and fulfill their potential. Common technology activities and tools implemented in next-generation transformations include:
- Ubiquitous data analyses and advanced analytics: These capabilities access a broad swath of data to develop a holistic view of risk. This includes full sample analysis, data-driven flowcharting and leveraging early-warning systems using risk thresholds. The mixture of big data, process automation and data analytics offers interactive visualisations and business intelligence capabilities and can help to make time for more strategic analysis to convert data and information to real insights and enable creation of impactful reports.
- Automated processes: RPA is a powerful means of eliminating manual-intensive tasks, allowing audit teams to focus intently on key business risks and areas requiring the exercise of professional judgment. Examples of processes that could be automated include automated translations from one language to another, reviewing large volumes of contracts to identify high-risk terms or clauses requiring further review, generating audit announcements and document request lists, gathering and organising data and other artifacts, and data entry and document upload into audit management and governance, risk and compliance (GRC) platforms. Advanced monitoring techniques can also drive greater audit coverage, efficiencies and early alerts.
- Process mining insights: Process mining technology extracts data easily from within the company’s systems to discover and monitor how a process actually functions. By leveraging data to understand processes at a deeper level earlier in the audit cycle, process mining automates the process discovery activity and creates visual representations of business processes throughout the organisation. Internal auditors can analyse those visual representations quickly to identify risk, potential control breakdowns and inefficiencies, and to direct audit focus to the issues and opportunities that truly matter. This capability not only delivers significant efficiency gains but also drives a more effective and impactful audit process.
- AI and machine learning: These advanced capabilities increase the effectiveness and efficiency of complex testing and provide intricate analysis in real time. Examples include the application of classification and clustering algorithms designed to identify outlier and high-risk transactions and to better stratify populations for risk-based analysis. These capabilities also can perform predictive modeling to provide intelligent continuous process auditing. They can incorporate natural language processing techniques to identify word and phrase patterns in structured and unstructured data sources and documents.
These activities and tools enable internal auditors to translate an increasingly overwhelming amount of data into meaningful analysis with impact. Rather than parachute these capabilities into the old ways of doing things, the audit methodology itself must evolve to maximise their contributed value. That will allow data to be turned into useful information and insightful knowledge more quickly, used earlier and more effectively in the audit cycle to drive risk-focused scopes of work, and deployed to spotlight patterns and trends that previously would have been nearly impossible to identify. These capabilities, coupled with critical and divergent thinking, have the potential to steepen the value-delivery curve significantly for internal auditors.
This is the digital pathway that leads to the observations and recommendations stakeholders will value and can act upon. To make this happen, the future auditor must acquire new skill sets. Rarely will an audit plan be executed in its entirety before fresh insights and developments emerge, creating the need for changes to it. The future auditor recognises this dynamic and its implications for regular stakeholder meetings and a robust planning process that facilitates addressing organisational changes. The static annual planning process is now a relic of the past.
The above discussion is intended to be illustrative and not exhaustive. The ease of deployment of innovative capabilities varies from straightforward (e.g., using optical character recognition or a K-means clustering algorithm) to highly involved (e.g., deploying natural language processing with learning components). The point is that there is a multitude of opportunities for deploying advanced and emerging techniques in internal audit, including those that allow for the replication of aspects of auditor judgment in clarifying the real issues in the eyes of key stakeholders. That is why the future auditor develops an awareness of available techniques and methods to determine those with the greatest potential to drive increased efficiency and effectiveness into the internal audit process.
Process Mining: Laying the Foundation for Transitioning From Analog to Digital
The future auditor’s digital imperative is to challenge traditional audit approaches. In addressing this imperative, CAEs often raise the question, “Where to begin?” The answer lies in traditional auditing being mired in unreliable and manual-intensive walkthroughs, presenting a significant opportunity to deploy process mining technology to deliver significant efficiency gains and drive a more effective audit process. It is one of the best examples of the transformative effect of the future auditor’s transition to a digital world.
Process mining tools fundamentally change the way auditors analyse processes and perform audits. They deploy AI and machine learning to extract existing data from an organisation’s information technology systems to reconstruct visually how processes actually perform.
This capability is a marked shift from the traditional process walkthroughs and resulting audit tests. The following table illustrates the contrast:
Process mining is real, and it’s available now to internal auditors. But it does require a change in mindset because data, not human beings, tell the story about the process. As stated earlier, new technologies should not be “dropped in” to the traditional audit approach. The audit methodology itself must evolve to maximise their capabilities.
The good news is that for those rooted in the analog world of performing manual walkthroughs, preparing flowcharts, conducting process risk assessments and testing process controls, transitioning to data-driven process mining is not a huge leap. Time-consuming interviews are replaced with advanced analytics and review processes based on 100% populations and an automated walkthrough development effort. In traditional walkthroughs, process owners tell the auditor what they believe; in process mining, the data tells the auditor what’s really happening. The data offers a single version of the truth.
Analogous to applying an X-ray machine to a company’s processes, process mining tools capture data in the organisation’s systems and use it to depict how transactions are being processed. The process mining software creates a complete process flow based on the data. This capability is powerful as it can be applied to virtually any process where digital breadcrumbs (i.e., transactional timestamps) are created.
With ever-increasing expectations, internal audit needs to be more insightful about what it audits and in how it generates its findings. Process mining lays a foundation for the future auditor to embrace next-generation-enabling technology. In depicting what is actually happening, it visualises the core process flow and automatically isolates process variants and complexities, including areas that do not comply with the intended process design, and quantifies their impact. Thus, process mining focuses auditor attention on less common process paths and activities and the rework and other inefficiencies they spawn. This transparency utterly obviates traditional walkthroughs, as it provides management with a high degree of confidence regarding the improvements they can expect when effecting process change. In focusing on process “hot spots” to drive audit focus, this approach is much more effective in uncovering process weaknesses than the traditional walkthroughs and sample tests.
Reinforced by the future auditor’s approach to governance and support of an agile methodology, process mining presents the opportunity to leverage new audit staff — often consisting of younger generation employees — effectively by giving them projects that are tightly engaged with the business and its key processes and that capture and analyse relevant process data. It supports process risk assessment activities, quantifies the impact of nonconformance and the benefits of adherence to a consistent process, and optimises processes in real time through kick outs of outlier transactions. It also leads to reduced process costs and throughput times by driving focused efforts to eliminate process nonessentials, streamline essential process activities and automate selected process tasks. The result is increased efficiency and savings in time and money. When the auditor obtains the full picture with 100% data coverage and full process transparency, the resulting audit findings have much more impact.
Managing Change: Unlocking Value Through a Holistic Approach
Looking forward, two points are clear: First, change is both exciting and uncertain; it cannot be taken lightly. Second, as stakeholder expectations become more demanding, the notion of what it means to be an internal auditor is changing. True, there is comfort in the routines of the past, but can the CAE really expect those routines to contribute sustainable value as the world goes digital? The future auditor recognises that the only true security lies in the audit function’s ability to adapt to rapidly changing stakeholder expectations, align itself with the strategic concerns of the board of directors and the C-suite, and become comfortable with being uncomfortable, all the while learning and adapting at the pace of change.
As we asserted earlier, the implementation of enabling technologies alone cannot drive the transformation of internal audit. As new technologies are adopted, the other areas of next-generation internal audit — governance and methodology — must also evolve to unlock the true potential of innovation. For example, the value proposition for process mining is negated if the audit function’s methodology does not take advantage of its previously unavailable insights early enough in both audit planning and execution and leverage it in ongoing risk assessment and continuous monitoring activities. An agile methodology integrates enabling technology, data and information into the audit process effectively and efficiently.
Of equal importance is the future auditor having access to the requisite resources and skill sets to apply agile methodologies and enabling technology in a manner that meets the next-generation audit function’s objectives (e.g., improve assurance by increasing the focus on key risks in an efficient manner to provide deeper, more valuable and timely insights to stakeholders). Building a model and structure within the function that effectively blends business, internal audit and technology skill sets will help ensure that the additional capabilities presented by enabling technology are deployed at their highest and best use.
To that end, changes in methodology and embracing enabling technology are interrelated. They are made possible by the future auditor’s strategic vision and the organisation, skills, talent and collaboration needed to make that vision a reality. As organisations adopt more dynamic, agile methodologies pioneered in the technology sector in managing the business, internal audit must sustain its relevance by developing equally agile, flexible and dynamic ways to monitor risk, execute and report continuously on audit activities, and provide assurance and insight without adding undue friction to the flow of operations. That’s why more flexible, efficient and risk-focused ways of working are needed.
When moving at the speed of change, mistakes are inevitable. Internal auditors must try new things and learn through trial and error, failing fast and sorting out what works from what doesn’t. That is the way of progress toward delivering greater efficiency and effectiveness and driving more valuable, actionable business insights in the audit process. Audit committees and senior management should support innovation by internal audit. Pilots and quick wins can build momentum toward additional investment and resources. The future auditor encourages department employees to act in an agile manner without imposing an overly structured approach that would stifle initiative.
Having an agile methodology enabled with the right resources and technology helps the future auditor sustain internal audit’s relevance by providing greater assurance to stakeholders on the risks that matter most and in a more efficient manner. As companies move to cloud computing and adopt AI and machine learning practises to conduct business at the speed of innovation, internal audit is expected to do more and in different ways. Inevitably, the increase in enterprisewide automation drives internal audit to make similar changes as well. With these dynamics in play, the future auditor is undaunted that such leadership is entirely unnatural for many internal auditors.
Holistic transformation requires the future auditor to look across the three themes of governance, methodology and enabling technology and select aspects of them that will best meet the needs of the business and its stakeholders. Adaptability and agility are the new normal. Transformation is a continuing journey along the path of innovation, and internal audit must be a part of that journey. The technologies and methods that are new today are not going to be the same ones required to stay ahead of the change curve five years from now. That said, process mining lays a foundation today from which to launch a new and exciting way of auditing going forward.
 “The Future Auditor: The Chief Audit Executive’s Endgame,” The Bulletin, Volume 5, Issue 6, Protiviti, April 2014
 “The Future Auditor Revisited,” The Bulletin, Volume 6, Issue 3, Protiviti, July 2016
 “The Future Auditor’s Advancement of the Audit Committee Relationship,” The Bulletin, Volume 6, Issue 7, Protiviti, August 2017
 The Next Generation of Internal Auditing — Are You Ready? Catch the Innovation Wave, Protiviti, November 2018
 See discussion on the Protiviti website (here) for an explanation of the attributes of a “digital leader.” While most companies aren’t digital leaders, management can use Protiviti’s digital maturity framework — available on the aforementioned web page — to assess their organisation’s digital readiness using attributes of digital leaders.
 2019 Internal Audit Capabilities and Needs Survey: Embracing the Next Generation of Internal Auditing, Protiviti, March 2019
 “PCAOB Issues Outlook to Audit Committees for 2019 Staff Inspections,” Protiviti Flash Report, March 22, 2019
(The Bulletin: Volume 7, Issue 3)